Secure Your .NET Applications and Integrate Them with Active Directory

Editorial Note

This article is in the Product Showcase section for our sponsors at CodeProject. These reviews are intended to provide you with information on products and services that we consider useful and of value to developers.

This is a showcase review for our sponsors at CodeProject. These reviews are intended to provide you with information on products and services that we consider useful and of value to developers.

Introduction

Do you need one solution for managing users and security in all .NET applications? Or do you need to integrate your applications with Active Directory? PortSight Secure Access can solve most security issues. Even better - you can get it completely free!

Quick Overview

PortSight Secure Access is a .NET component. It provides a database of users, user groups and organizational units and it allows you to control access to your applications. The programming interface can be used in ASP.NET, WinForms and Web Services. The Enterprise Edition allows you to import user accounts from Active Directory, Windows domains and ODBC-enabled databases.

Figure 1 - PortSight Secure Access high-level architecture.

Installation and Application Security Wizard

The installation of PortSight Secure Access is simple - you just go through the wizard and it creates the Secure Access user database and installs the Web-based user interface.

Figure 2 - PortSight Secure Access installation is really smooth.

The Application Configuration Wizard helps you configure security of your ASP.NET application in a few easy steps. You only need to create an empty ASP.NET project and choose the security options in the wizard. You can choose between Forms and Windows authentication. The wizard modifies the virtual directory security settings, copies Secure Access files to your application and modifies the Global.asax file.

Authentication

After completing the wizard and compilation, your application requires authentication and is fully prepared for implementing authorization and auditing features. If you chose Forms authentication, users have to provide their user name and password. In this case, passwords are stored in the database. You can choose to store only hash of the passwords to avoid password exposure.

Figure 4 - The logon form offers rich functionality, including "Send Forgotten Password" and "Change Expired Password" features. It also enforces the password policy when changing the password.

Customizable User Profiles

User profiles are stored in the database along with other information. The profile contains the most common fields, such as user name, full name, e-mail address or shipping address. But the default fields do not limit you - you can add any number of custom properties to the user profile. You can use these fields for storing user preferences and settings.

Figure 5 - User profile can contain any number of your custom properties.

Authorization - Controlling Access to Application Modules

PortSight Secure Access allows you to control access to particular modules or features. It provides a variety of authorization methods.

Checking Membership in Groups and Organizational Units

The most simple authorization method is checking user's membership in a particular group or organizational unit.

Code 1 - Checking user membership.

[VB.NET]

If ARHelper.IsMember("JohnD", "PMs") Then ...

[C#]

If (ARHelper.IsMember("JohnD", "PMs") { ...

Role-based Security

A more advanced and the most common way is using role-based security. You can define any number of roles for each application and assign these roles to users and groups.

Code 2 - Checking if user is member of particular role.

[VB.NET]

If ARHelper.IsInRole("JohnD", "WorkReports.Manager") Then ...

[C#]

If (ARHelper.IsInRole("JohnD", "WorkReports.Manager") { ...

Figure 6 - The Web-based user interface allows you to manage security of your applications from one single point.

Checking User Permissions

Permissions represent the most flexible authorization method. You can define permissions for each application or module and then grant these permissions to users. However, the preferred solution is granting permissions to roles instead of users and assign users (or groups) to these roles. In this way, your customer can easily modify default permissions for particular roles by himself. It also helps you avoid re-writing the application code when a customer decides, "TeamLeaders role members should be allowed to APPROVE in the WORKREPORTS application" instead of "TeamLeaders role members should be only allowed to READ in the WORKREPORTS application".

Code 3 - Checking user permissions.

[VB.NET]

If ARHelper.IsAuthorized("JohnD","WorkReports.ReportViewer","Read") Then ...

Figure 7 - Permissions for particular roles can be easily managed using the Permission Matrix control.

Web Content Authorization

So far, we have mentioned only authorization in your applications. However, PortSight Secure Access allows you to control access to downloading any Web content. You can define the content using the path mask, such as "*.doc" or "/PortSight/secret/img*.jpg" and you can check in your code what permissions (in Secure Access) are required for the files.So far, we have mentioned only authorization in your applications. However, PortSight Secure Access allows you to control access to downloading any Web content. You can define the content using the path mask, such as "*.doc" or "/PortSight/secret/img*.jpg" and you can check in your code what permissions (in Secure Access) are required for the files.

Auditing Trail

An important feature of the application security is auditing of user activities. It can help you detect attacks and attempts at unauthorized access to secret data and also keep track of data modifications. Last but not least, some laws, including the HIPAA rules, require the auditing trail.

Delegation

In some cases, the security of the system requires immediate and frequent changes. When a manager gets new people on the project, it's often necessary to grant them permissions to various applications. With PortSight Secure Access delegation features, the manager can do this without waiting for an administrator. The administrator can easily delegate the management of groups, organizational units and roles to privileged users.

Figure 8 - You can delegate part of the security management to privileged users and avoid administrator's bottleneck. All you have to do is add this user control to your application.

Creating, modifying and deleting users and groups in several systems becomes difficult or even impossible as the number of systems grows. Although PortSight Secure Access has its own user database, this doesn't mean that it's another headache for your administrator.

It allows you to set up a regular import from Microsoft Active Directory, Windows domains and existing ODBC-enabled databases. You can import user accounts as well as user groups, organizational units and membership information. When you update the user's e-mail address in Active Directory, the change is automatically copied to your Secure Access database during the periodical import, ensuring that your application works with the latest data.

Figure 9 - You can map source properties to Secure Access fields in the Import Wizard.

Reusable User Controls

Secure Access is delivered with several ASP.NET user controls, such as:

One Solution for All Platforms

PortSight Secure Access 2.0 supports not only ASP.NET applications, but also WinForms and Web Services. The WinForms applications can use either Secure Access components directly or - preferably - they can consume Secure Access Web Service that provides the most frequent methods to the client applications. Using this Web Service, you can use Secure Access features on virtually any platform or device with Web Services support.

The new Secure Access version comes also with support for securing your own Web Services. It uses Microsoft Web Services Enhancements to implement the WS-Security standard. The users of your Web Service need to provide their user name and password to call Web Service methods and your Web Service can check client's roles and permissions.

Secure Your Applications with Free Community Edition

PortSight has also released a free edition of Secure Access - the Community Edition. It's available for download on http://www.portsight.com/SecureAccess. It's limited to 100 user accounts stored in the database; it doesn't support organizational units and permissions. It's intended for smaller projects and it's free also for commercial use.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

About the Author

Comments and Discussions

I have downloaded the appliaction, and when i am trying to debug there is an error saying "unable to debug the web server" ? I have tried all the ways by adding to deguggers users groups and also to admininstrators group? what could be the problem? Please assist me in debugggin this application.

You need to make sure that your web is configured for debugging. To do this, you need set “debug = true” in the “web.config” file. You may find this file in your web project folder.

<system.web> <!-- DYNAMIC DEBUG COMPILATION Set compilation debug="true" to insert debugging symbols (.pdb information) into the compiled page. Because this creates a larger file that executes more slowly, you should set this value to true only when debugging and to false at all other times. For more information, refer to the documentation about debugging ASP.NET files. --> <compilation defaultLanguage="vb" debug="true" />

Actually, there is also a setting under the Security tab in Internet Explorer that you have to set. Off the top of my head, I would suggest setting the Intranet Zone to low security, click reset and then try again.